Pub Date : 2024-08-30DOI: 10.1016/j.clsr.2024.106041
Konrad Kollnig , Lu Zhang , Jun Zhao , Nigel Shadbolt
Privacy in apps is a topic of widespread interest because many apps collect and share large amounts of highly sensitive information. In response, the Chinese legislator introduced a range of new data protection laws over recent years, notably the Personal Information Protection Law (PIPL) in 2021. So far, there exists limited research on the impacts of these new laws on apps’ privacy practices. To address this gap, this paper analyses data collection in pairs of 634 Chinese iOS apps, one version from early 2020 and one from late 2021.
Our work finds that many more apps now implement consent. Yet, those end-users that decline consent will often be forced to exit the app. Fewer apps now collect data without consent but many still integrate tracking libraries. Market concentration in app data collection has seen limited change. At the same time, there exists a larger number of influential and equal market participants than in the West. Among them, Apple was the only relevant foreign company.
We see our findings characteristic of a first iteration at Chinese data regulation with room for improvement. With the help of enhanced technological capabilities, we expect increased enforcement of the new data rules. There is also room to refine the new laws and make them more targeted at mobile apps and the online sphere, particularly through clear and up-to-date technical specifications for software developers. As such, our findings could also be motivation for non-Chinese policy- and lawmakers to enhance their own data protection regimes.
{"title":"Privacy in Chinese iOS apps and impact of the personal information protection law","authors":"Konrad Kollnig , Lu Zhang , Jun Zhao , Nigel Shadbolt","doi":"10.1016/j.clsr.2024.106041","DOIUrl":"10.1016/j.clsr.2024.106041","url":null,"abstract":"<div><p>Privacy in apps is a topic of widespread interest because many apps collect and share large amounts of highly sensitive information. In response, the Chinese legislator introduced a range of new data protection laws over recent years, notably the Personal Information Protection Law (PIPL) in 2021. So far, there exists limited research on the impacts of these new laws on apps’ privacy practices. To address this gap, this paper analyses data collection in pairs of 634 Chinese iOS apps, one version from early 2020 and one from late 2021.</p><p>Our work finds that many more apps now implement consent. Yet, those end-users that decline consent will often be forced to exit the app. Fewer apps now collect data without consent but many still integrate tracking libraries. Market concentration in app data collection has seen limited change. At the same time, there exists a larger number of influential and equal market participants than in the West. Among them, Apple was the only relevant foreign company.</p><p>We see our findings characteristic of a <em>first iteration</em> at Chinese data regulation with room for improvement. With the help of enhanced technological capabilities, we expect increased enforcement of the new data rules. There is also room to refine the new laws and make them more targeted at mobile apps and the online sphere, particularly through clear and up-to-date technical specifications for software developers. As such, our findings could also be motivation for non-Chinese policy- and lawmakers to enhance their own data protection regimes.</p></div>","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"55 ","pages":"Article 106041"},"PeriodicalIF":3.3,"publicationDate":"2024-08-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S0267364924001079/pdfft?md5=f35185751c76a76e671e0f0e5d8cac53&pid=1-s2.0-S0267364924001079-main.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142098442","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-08-27DOI: 10.1016/j.clsr.2024.106036
Ying Liu
Standard essential patent (SEP)-related disputes frequently involve parallel litigation cases in various jurisdictions in the world. With the rapid advancement of the telecommunication industry, Chinese companies are more and more embroiled in such global dispute, particularly with the issue of fair, reasonable, and non-discriminatory (FRAND) rate determination by the courts. Chinese courts are actively asserting jurisdiction over global FRAND disputes. It is important to note that within the framework of Chinese court practice, the court should further improve its trial procedures to ensure that parties have reasonable expectations regarding rate determination result on the merits and the procedural due process. This article reviews the judicial practice in China regarding the cases of FRAND rate dispute, summarizing the characteristics and recent development in the court practice. The article outlines how Chinese courts apply comparable license and top-down approach to calculate the FRAND rate. Notably, Chinese courts have taken a more flexible and pragmatic approach when addressing this issue, tailoring their decisions based on the circumstances in individual case. Additionally, it discusses the possibility of Article 24 in the Judicial Interpretation II as the legal basis for determining the global FRAND rate, as well as how the requirement for good-faith negotiation is interpreted by the court and whether the regional discount is reasonable in the context of the global FRAND rate. Consequently, the article argues that the courts should consider harmonizing its practice with prevailing norms in international jurisdictions. Several recommendations for optimizing the trial procedure also proposed, thereby ensuring scientific rigor and transparency of the rate calculation.
{"title":"Royalty rate determination in standard essential patent litigation in China - from regional rate to global rate","authors":"Ying Liu","doi":"10.1016/j.clsr.2024.106036","DOIUrl":"10.1016/j.clsr.2024.106036","url":null,"abstract":"<div><p>Standard essential patent (SEP)-related disputes frequently involve parallel litigation cases in various jurisdictions in the world. With the rapid advancement of the telecommunication industry, Chinese companies are more and more embroiled in such global dispute, particularly with the issue of fair, reasonable, and non-discriminatory (FRAND) rate determination by the courts. Chinese courts are actively asserting jurisdiction over global FRAND disputes. It is important to note that within the framework of Chinese court practice, the court should further improve its trial procedures to ensure that parties have reasonable expectations regarding rate determination result on the merits and the procedural due process. This article reviews the judicial practice in China regarding the cases of FRAND rate dispute, summarizing the characteristics and recent development in the court practice. The article outlines how Chinese courts apply comparable license and top-down approach to calculate the FRAND rate. Notably, Chinese courts have taken a more flexible and pragmatic approach when addressing this issue, tailoring their decisions based on the circumstances in individual case. Additionally, it discusses the possibility of Article 24 in the Judicial Interpretation II as the legal basis for determining the global FRAND rate, as well as how the requirement for good-faith negotiation is interpreted by the court and whether the regional discount is reasonable in the context of the global FRAND rate. Consequently, the article argues that the courts should consider harmonizing its practice with prevailing norms in international jurisdictions. Several recommendations for optimizing the trial procedure also proposed, thereby ensuring scientific rigor and transparency of the rate calculation.</p></div>","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"55 ","pages":"Article 106036"},"PeriodicalIF":3.3,"publicationDate":"2024-08-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142084325","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-08-25DOI: 10.1016/j.clsr.2024.106038
Eliza Hammond , Mark Burdon
Menstrual cycle tracking applications (‘apps’) are smartphone or tablet apps that allow users to log data pertaining to their period. Using a lens of privacy focussed on intimacy, it will be argued that the control-based harms and intimate harms emerging from these apps require moving from an information privacy law model based on control to one that acknowledges the deeper connection between intimacy and privacy. We examine the privacy policies of 20 menstrual cycle tracking apps to investigate how the control-based protections of the Privacy Act apply. Our findings demonstrate that there are many deficiencies in app privacy policies which give rise to critical questioning about the application of the Australian Privacy Act’s control approach. We argue that the current gender-agnostic approach of information privacy law's control approach does not adequately protect app users and their intimate information. Intimate harms rethink the application of information privacy law by extending its reach beyond the traditional control harms contemplated by the Act and examine how menstrual cycle tracking apps disrupt users’ intimate spheres and relationships. To adequately protect app users from these deeper intimate harms, we contend that information privacy law moves beyond the procedural-based control approach to an information privacy model that is relational, context-dependant and acknowledges the connection between intimacy and privacy.
{"title":"Intimate harms and menstrual cycle tracking apps","authors":"Eliza Hammond , Mark Burdon","doi":"10.1016/j.clsr.2024.106038","DOIUrl":"10.1016/j.clsr.2024.106038","url":null,"abstract":"<div><p>Menstrual cycle tracking applications (‘apps’) are smartphone or tablet apps that allow users to log data pertaining to their period. Using a lens of privacy focussed on intimacy, it will be argued that the control-based harms and intimate harms emerging from these apps require moving from an information privacy law model based on control to one that acknowledges the deeper connection between intimacy and privacy. We examine the privacy policies of 20 menstrual cycle tracking apps to investigate how the control-based protections of the <em>Privacy Act</em> apply. Our findings demonstrate that there are many deficiencies in app privacy policies which give rise to critical questioning about the application of the Australian <em>Privacy Act</em>’s control approach. We argue that the current gender-agnostic approach of information privacy law's control approach does not adequately protect app users and their intimate information. Intimate harms rethink the application of information privacy law by extending its reach beyond the traditional control harms contemplated by the Act and examine how menstrual cycle tracking apps disrupt users’ intimate spheres and relationships. To adequately protect app users from these deeper intimate harms, we contend that information privacy law moves beyond the procedural-based control approach to an information privacy model that is relational, context-dependant and acknowledges the connection between intimacy and privacy.</p></div>","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"55 ","pages":"Article 106038"},"PeriodicalIF":3.3,"publicationDate":"2024-08-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S0267364924001043/pdfft?md5=ef3c5c5487d951d388eb520e484e8f87&pid=1-s2.0-S0267364924001043-main.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142083888","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-08-23DOI: 10.1016/j.clsr.2024.106032
Parto Mirzaei , Els De Busser
The fragmentation of the Dutch cybersecurity government landscape is a widely discussed phenomenon among politicians, policy makers, and cybersecurity specialists. Remarkably though, a negative narrative is underlying the idea of fragmentation, suggesting that we are dealing with a serious problem. A problem that has the potential of impeding cybersecurity governance in the Netherlands. This research zooms in on how cybersecurity governance is organised within the central government, and which organisations are concerned with the creation, implementation, and oversight of cybersecurity policies vis à vis Dutch society. This article provides an overview of all central government organisations (de Rijksoverheid) that are involved in cybersecurity governance on a strategic level. This research provides the first step in doctoral research into the possible implications of the fragmentation of cybersecurity governance in the Dutch central government, and how this fragmentation could potentially impact policy creation, implementation, and oversight. Based on the mapping of this governance landscape, it set out to measure fragmentation based on the number of units or organisations that are concerned with cybersecurity governance in the central government on a strategic level. This study has found that based on Boyne's (1992) notion of fragmentation and the Dutch governments’ definition of tiers, the Dutch cybersecurity governance landscape could indeed, when meticulously following Boyne's counting procedure, be regarded as fragmented.
{"title":"The New F-word: The case of fragmentation in Dutch cybersecurity governance","authors":"Parto Mirzaei , Els De Busser","doi":"10.1016/j.clsr.2024.106032","DOIUrl":"10.1016/j.clsr.2024.106032","url":null,"abstract":"<div><p>The fragmentation of the Dutch cybersecurity government landscape is a widely discussed phenomenon among politicians, policy makers, and cybersecurity specialists. Remarkably though, a negative narrative is underlying the idea of fragmentation, suggesting that we are dealing with a serious problem. A problem that has the potential of impeding cybersecurity governance in the Netherlands. This research zooms in on how cybersecurity governance is organised within the central government, and which organisations are concerned with the creation, implementation, and oversight of cybersecurity policies vis à vis Dutch society. This article provides an overview of all central government organisations (de Rijksoverheid) that are involved in cybersecurity governance on a strategic level. This research provides the first step in doctoral research into the possible implications of the fragmentation of cybersecurity governance in the Dutch central government, and how this fragmentation could potentially impact policy creation, implementation, and oversight. Based on the mapping of this governance landscape, it set out to measure fragmentation based on the number of units or organisations that are concerned with cybersecurity governance in the central government on a strategic level. This study has found that based on Boyne's (1992) notion of fragmentation and the Dutch governments’ definition of tiers, the Dutch cybersecurity governance landscape could indeed, when meticulously following Boyne's counting procedure, be regarded as fragmented.</p></div>","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"55 ","pages":"Article 106032"},"PeriodicalIF":3.3,"publicationDate":"2024-08-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S0267364924000980/pdfft?md5=cfd502acd03879bbdbfa116b7b4cecac&pid=1-s2.0-S0267364924000980-main.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142084326","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-08-19DOI: 10.1016/j.clsr.2024.106034
Øyvind Toftegaard , Guro Grøtterud , Bernhard Hämmerli
<div><p>The EU’s 2020 Cybersecurity Strategy promotes cybersecurity as essential for building a resilient, green, and digital Europe. Cleaner energy sources such as wind and solar are more volatile and thus need digital integration with Industrial Control Systems (ICS) for grid balancing. However, the digitization and the properties of cyberspace provide the ability to coordinate disruptive cyberattacks against power grid infrastructures. Digital weapons may be launched against ICS to start multiple cascading outages with a keystroke, causing large-scale blackouts we have never seen before. To reduce risk, the EU’s Strategy describes three objectives for ICS: Secure-by-design, resilient, and timely patched. In the strategy, the European Commission suggests a ”network code,” i.e. a delegated act for the electric power sector, setting rules for cybersecurity in cross-border electricity flows. The draft delegated act of November 2023 presents security requirements for Information and Communication Technology (ICT) and Network and Information Systems (NIS). Although ICS systems are used directly to manage electricity flows, ICS is only mentioned in one of the delegated act’s recitals as a subcategory of ICT products. Suppose Information Technology (IT) rather than Operational Technology (OT) is the focus of the delegated act. In that case, policymakers may not fulfill the EU cybersecurity strategy’s ICS objectives, thus failing to improve the resilience of power grid infrastructures and cross-border electricity flows. This study is a policy process analysis, and its contribution is threefold. First, a literature review is conducted to understand the extent to which the delegated act covers OT. Second, a framework condition analysis is applied to understand why the delegated act lacks OT-specific security requirements. Third, the analysis is extended to understand whether OT is sufficiently covered to achieve the EU strategy’s ICS objectives. In conclusion, our analysis shows a strong intention to include OT-specific security in the preparatory work of the delegated act, but that a stronger position of the IT communities forced OT onto the sideline. Further, the study shows weak fulfillment of general secure-by-design principles and security patch management. These results indicate that OT coverage in the delegated act is not in line with the expectations of the EU’s cybersecurity strategy and the delegated act’s early preparatory work. Therefore, we have suggested three measures to increase OT resilience focus in the act: (a) Define the expressions NIS, ICT services, ICT processes, and ICT in general as umbrella terms that include OT, (b) The foreseen minimum and advanced cybersecurity controls should require OT-specific measures, including holistic secure-by-design principles and patch management covering all patching phases, (c) Develop an OT implementation guide for the delegated act. Our work can be used by policymakers to optimize cybersecurity
欧盟的 2020 年网络安全战略将网络安全视为建设弹性、绿色和数字化欧洲的关键。风能和太阳能等清洁能源更不稳定,因此需要与工业控制系统(ICS)进行数字化集成,以实现电网平衡。然而,网络空间的数字化和特性为协调针对电网基础设施的破坏性网络攻击提供了能力。针对 ICS 的数字武器可能会通过按键启动多个级联停电,造成我们从未见过的大规模停电。为了降低风险,欧盟的战略描述了 ICS 的三个目标:设计安全、弹性和及时修补。在该战略中,欧盟委员会建议制定 "网络法规",即电力部门的委托法案,为跨境电力流动的网络安全制定规则。2023 年 11 月的委托法案草案提出了信息和通信技术 (ICT) 以及网络和信息系统 (NIS) 的安全要求。虽然 ICS 系统直接用于管理电力流动,但 ICS 只作为 ICT 产品的一个子类别在委托法案的一个序言中被提及。假设授权法案的重点是信息技术(IT)而不是操作技术(OT)。在这种情况下,政策制定者可能无法实现欧盟网络安全战略的 ICS 目标,从而无法提高电网基础设施和跨境电力流动的弹性。本研究是一项政策过程分析,有三方面的贡献。首先,通过文献综述来了解授权法案在多大程度上涵盖了 OT。其次,运用框架条件分析来了解授权法案为何缺乏针对 OT 的安全要求。第三,对分析进行扩展,以了解 OT 是否被充分涵盖,从而实现欧盟战略的 ICS 目标。总之,我们的分析表明,在委托法案的准备工作中包含针对 OT 的安全要求的意图非常强烈,但 IT 界的强硬立场迫使 OT 被搁置一旁。此外,研究还表明,一般安全设计原则和安全补丁管理的执行情况较差。这些结果表明,授权法案中的 OT 覆盖范围不符合欧盟网络安全战略和授权法案早期准备工作的预期。因此,我们提出了三项措施,以增加法案中对 OT 弹性的关注:(a) 将 NIS、ICT 服务、ICT 流程和一般 ICT 定义为包括 OT 的总括术语;(b) 预见的最低和高级网络安全控制应要求采取针对 OT 的措施,包括整体安全设计原则和涵盖所有修补阶段的修补程序管理;(c) 为授权法案制定 OT 实施指南。政策制定者可利用我们的工作来优化网络安全政策流程,研究人员也可利用我们的工作来研究网络安全领域的社会技术差距。
{"title":"Operational Technology resilience in the 2023 draft delegated act on cybersecurity for the power sector—An EU policy process analysis","authors":"Øyvind Toftegaard , Guro Grøtterud , Bernhard Hämmerli","doi":"10.1016/j.clsr.2024.106034","DOIUrl":"10.1016/j.clsr.2024.106034","url":null,"abstract":"<div><p>The EU’s 2020 Cybersecurity Strategy promotes cybersecurity as essential for building a resilient, green, and digital Europe. Cleaner energy sources such as wind and solar are more volatile and thus need digital integration with Industrial Control Systems (ICS) for grid balancing. However, the digitization and the properties of cyberspace provide the ability to coordinate disruptive cyberattacks against power grid infrastructures. Digital weapons may be launched against ICS to start multiple cascading outages with a keystroke, causing large-scale blackouts we have never seen before. To reduce risk, the EU’s Strategy describes three objectives for ICS: Secure-by-design, resilient, and timely patched. In the strategy, the European Commission suggests a ”network code,” i.e. a delegated act for the electric power sector, setting rules for cybersecurity in cross-border electricity flows. The draft delegated act of November 2023 presents security requirements for Information and Communication Technology (ICT) and Network and Information Systems (NIS). Although ICS systems are used directly to manage electricity flows, ICS is only mentioned in one of the delegated act’s recitals as a subcategory of ICT products. Suppose Information Technology (IT) rather than Operational Technology (OT) is the focus of the delegated act. In that case, policymakers may not fulfill the EU cybersecurity strategy’s ICS objectives, thus failing to improve the resilience of power grid infrastructures and cross-border electricity flows. This study is a policy process analysis, and its contribution is threefold. First, a literature review is conducted to understand the extent to which the delegated act covers OT. Second, a framework condition analysis is applied to understand why the delegated act lacks OT-specific security requirements. Third, the analysis is extended to understand whether OT is sufficiently covered to achieve the EU strategy’s ICS objectives. In conclusion, our analysis shows a strong intention to include OT-specific security in the preparatory work of the delegated act, but that a stronger position of the IT communities forced OT onto the sideline. Further, the study shows weak fulfillment of general secure-by-design principles and security patch management. These results indicate that OT coverage in the delegated act is not in line with the expectations of the EU’s cybersecurity strategy and the delegated act’s early preparatory work. Therefore, we have suggested three measures to increase OT resilience focus in the act: (a) Define the expressions NIS, ICT services, ICT processes, and ICT in general as umbrella terms that include OT, (b) The foreseen minimum and advanced cybersecurity controls should require OT-specific measures, including holistic secure-by-design principles and patch management covering all patching phases, (c) Develop an OT implementation guide for the delegated act. Our work can be used by policymakers to optimize cybersecurity ","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"54 ","pages":"Article 106034"},"PeriodicalIF":3.3,"publicationDate":"2024-08-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S0267364924001006/pdfft?md5=5e0c64e3d85ae578ddac4e98056a92a3&pid=1-s2.0-S0267364924001006-main.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142012809","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-08-19DOI: 10.1016/j.clsr.2024.105990
Abhilash Nair, James Griffin
This article proposes a new paradigm in the consideration of privacy in pornographic works in copyright enforcement actions. It focuses particularly on attempts to threaten individuals with copyright infringement action based on a speculative invoicing model. We approach this issue from the perspective of the right to sexual privacy of alleged infringers, which, as we argue, is particularly pertinent for pornographic works. The courts in England and Wales have broadly recognised the role of individual privacy and embarrassment caused to alleged infringers in the leading cases of Golden Eye and subsequently in Mircom, but the law remains unclear with no real recognition of, or meaningful mechanisms in place to address, the underlying issues. The article points out that this is due to a fundamental lack of appreciation of sexual privacy at a conceptual level in the context of consumption of pornography in the internet age, and consequent failure to consider this in copyright enforcement proceedings. We argue that the law should achieve a balance between the right holder's interest and the sexual privacy of alleged infringers, and copyright enforcement actions need to be approached with this in mind. This calls for a fundamental reconceptualisation of the right to privacy, and we call upon the courts to recognise and balance the sexual privacy rights of the alleged infringers of copyright in pornographic works with the interests of the right holders in certain copyright enforcement actions to achieve fair and equitable outcomes.
{"title":"Pornography, sexual privacy and copyright","authors":"Abhilash Nair, James Griffin","doi":"10.1016/j.clsr.2024.105990","DOIUrl":"10.1016/j.clsr.2024.105990","url":null,"abstract":"<div><p>This article proposes a new paradigm in the consideration of privacy in pornographic works in copyright enforcement actions. It focuses particularly on attempts to threaten individuals with copyright infringement action based on a speculative invoicing model. We approach this issue from the perspective of the right to sexual privacy of alleged infringers, which, as we argue, is particularly pertinent for pornographic works. The courts in England and Wales have broadly recognised the role of individual privacy and embarrassment caused to alleged infringers in the leading cases of <em>Golden Eye</em> and subsequently in <em>Mircom</em>, but the law remains unclear with no real recognition of, or meaningful mechanisms in place to address, the underlying issues. The article points out that this is due to a fundamental lack of appreciation of sexual privacy at a conceptual level in the context of consumption of pornography in the internet age, and consequent failure to consider this in copyright enforcement proceedings. We argue that the law should achieve a balance between the right holder's interest and the sexual privacy of alleged infringers, and copyright enforcement actions need to be approached with this in mind. This calls for a fundamental reconceptualisation of the right to privacy, and we call upon the courts to recognise and balance the sexual privacy rights of the alleged infringers of copyright in pornographic works with the interests of the right holders in certain copyright enforcement actions to achieve fair and equitable outcomes.</p></div>","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"54 ","pages":"Article 105990"},"PeriodicalIF":3.3,"publicationDate":"2024-08-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S0267364924000578/pdfft?md5=aeba3b57cc50d5148f6bc266d84d45b6&pid=1-s2.0-S0267364924000578-main.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142006412","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
The digital age has made personal data more valuable and less private. This paper explores the future of the European Union’s General Data Protection Regulation (GDPR) by imagining a range of challenging scenarios and how it might handle them. We analyse United States’, Chinese and European approaches (self-regulation, state control, arms-length regulators) and identify four key drivers shaping the future regulatory landscape: econopolitics, enforcement capacity, societal trust, and speed of technological development. These scenarios lead us to envision six resultant versions of GDPR, ranging from laxer protection than now to models empowering individuals and regulators. While our analysis suggests a minor update to the status quo GDPR is the most likely outcome, we argue a more robust implementation is necessary. This would entail meaningful penalties for non-compliance, harmonised enforcement, a positive case to counter the regulation-stifles-innovation narrative, defence of cross-border data rights, and proactive guidelines to address emerging technologies. Strengthening the GDPR’s effectiveness is crucial to ensure the digital age empowers individuals, not just information technology corporations and governments.
{"title":"How might the GDPR evolve? A question of politics, pace and punishment","authors":"Gerard Buckley , Tristan Caulfield , Ingolf Becker","doi":"10.1016/j.clsr.2024.106033","DOIUrl":"10.1016/j.clsr.2024.106033","url":null,"abstract":"<div><p>The digital age has made personal data more valuable and less private. This paper explores the future of the European Union’s General Data Protection Regulation (GDPR) by imagining a range of challenging scenarios and how it might handle them. We analyse United States’, Chinese and European approaches (self-regulation, state control, arms-length regulators) and identify four key drivers shaping the future regulatory landscape: econopolitics, enforcement capacity, societal trust, and speed of technological development. These scenarios lead us to envision six resultant versions of GDPR, ranging from laxer protection than now to models empowering individuals and regulators. While our analysis suggests a minor update to the status quo GDPR is the most likely outcome, we argue a more robust implementation is necessary. This would entail meaningful penalties for non-compliance, harmonised enforcement, a positive case to counter the regulation-stifles-innovation narrative, defence of cross-border data rights, and proactive guidelines to address emerging technologies. Strengthening the GDPR’s effectiveness is crucial to ensure the digital age empowers individuals, not just information technology corporations and governments.</p></div>","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"54 ","pages":"Article 106033"},"PeriodicalIF":3.3,"publicationDate":"2024-08-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S0267364924000992/pdfft?md5=0e110841ca9f0647a9535293139f5c91&pid=1-s2.0-S0267364924000992-main.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142001750","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-08-15DOI: 10.1016/j.clsr.2024.106028
Qiang REN , Jing DU
The European Union's Artificial Intelligence Act focuses on establishing harmonized rules across EU Member States so that AI systems are safe, transparent, and respectful of existing laws and fundamental rights. It introduces a risk-based regulatory approach, classifying AI applications by risk levels and imposing stringent compliance requirements on high-risk applications. The paper critically examines the Act's provisions, including its prohibitions on certain AI practices, requirements for high-risk AI systems, and mandates for transparency and human oversight. The paper examines the implications of the Act for international trade and technological regulation, particularly in the context of the World Trade Organization's Technical Barriers to Trade (TBT) Agreement. It addresses the Act's potential impact on developing countries, highlighting concerns that the Act's uniform standards could potentially exacerbate the digital divide and create barriers in global AI innovation and trade. The paper suggests incorporating flexibility and differential standards in the Act, enhancing technical assistance for developing countries, and advocating the EU's active participation in global standard-setting.
{"title":"Harmonizing innovation and regulation: The EU Artificial Intelligence Act in the international trade context","authors":"Qiang REN , Jing DU","doi":"10.1016/j.clsr.2024.106028","DOIUrl":"10.1016/j.clsr.2024.106028","url":null,"abstract":"<div><p>The European Union's Artificial Intelligence Act focuses on establishing harmonized rules across EU Member States so that AI systems are safe, transparent, and respectful of existing laws and fundamental rights. It introduces a risk-based regulatory approach, classifying AI applications by risk levels and imposing stringent compliance requirements on high-risk applications. The paper critically examines the Act's provisions, including its prohibitions on certain AI practices, requirements for high-risk AI systems, and mandates for transparency and human oversight. The paper examines the implications of the Act for international trade and technological regulation, particularly in the context of the World Trade Organization's Technical Barriers to Trade (TBT) Agreement. It addresses the Act's potential impact on developing countries, highlighting concerns that the Act's uniform standards could potentially exacerbate the digital divide and create barriers in global AI innovation and trade. The paper suggests incorporating flexibility and differential standards in the Act, enhancing technical assistance for developing countries, and advocating the EU's active participation in global standard-setting.</p></div>","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"54 ","pages":"Article 106028"},"PeriodicalIF":3.3,"publicationDate":"2024-08-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141991346","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-08-14DOI: 10.1016/j.clsr.2024.106020
Alessandro Mantelero
What is the context which gave rise to the obligation to carry out a Fundamental Rights Impact Assessment (FRIA) in the AI Act? How has assessment of the impact on fundamental rights been framed by the EU legislator in the AI Act? What methodological criteria should be followed in developing the FRIA? These are the three main research questions that this article aims to address, through both legal analysis of the relevant provisions of the AI Act and discussion of various possible models for assessment of the impact of AI on fundamental rights.
The overall objective of this article is to fill existing gaps in the theoretical and methodological elaboration of the FRIA, as outlined in the AI Act. In order to facilitate the future work of EU and national bodies and AI operators in placing this key tool for human-centric and trustworthy AI at the heart of the EU approach to AI design and development, this article outlines the main building blocks of a model template for the FRIA. While this proposal is consistent with the rationale and scope of the AI Act, it is also applicable beyond the cases listed in Article 27 and can serve as a blueprint for other national and international regulatory initiatives to ensure that AI is fully consistent with human rights.
{"title":"The Fundamental Rights Impact Assessment (FRIA) in the AI Act: Roots, legal obligations and key elements for a model template","authors":"Alessandro Mantelero","doi":"10.1016/j.clsr.2024.106020","DOIUrl":"10.1016/j.clsr.2024.106020","url":null,"abstract":"<div><p>What is the context which gave rise to the obligation to carry out a Fundamental Rights Impact Assessment (FRIA) in the AI Act? How has assessment of the impact on fundamental rights been framed by the EU legislator in the AI Act? What methodological criteria should be followed in developing the FRIA? These are the three main research questions that this article aims to address, through both legal analysis of the relevant provisions of the AI Act and discussion of various possible models for assessment of the impact of AI on fundamental rights.</p><p>The overall objective of this article is to fill existing gaps in the theoretical and methodological elaboration of the FRIA, as outlined in the AI Act. In order to facilitate the future work of EU and national bodies and AI operators in placing this key tool for human-centric and trustworthy AI at the heart of the EU approach to AI design and development, this article outlines the main building blocks of a model template for the FRIA. While this proposal is consistent with the rationale and scope of the AI Act, it is also applicable beyond the cases listed in Article 27 and can serve as a blueprint for other national and international regulatory initiatives to ensure that AI is fully consistent with human rights.</p></div>","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"54 ","pages":"Article 106020"},"PeriodicalIF":3.3,"publicationDate":"2024-08-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S0267364924000864/pdfft?md5=8d7f252655f8baa66bbefaa915063643&pid=1-s2.0-S0267364924000864-main.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141991345","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-08-07DOI: 10.1016/j.clsr.2024.106029
Larissa Galdino de Magalhães Santos
Open Government Data (OGD) has evolved from the mere generation of public data to its active management, but the strategic evolution still needs to be explored. This article explores the intersection of government's digital transformation, the Sustainable Development Goals (SDGs), and the role of government open data initiatives. The study focuses on the Brazilian trajectory, employing the "data as a public good" approach to evaluate data governance and capabilities as facilitators of sustainable digital transformation. The GDB method aligns with the SDG Digital Acceleration agenda, providing insights into integrating data in society and digital transformation. The study concludes by indicating the need for more dialogue and synergy between data management and government strategies. It emphasizes integrating data management, privacy protection, transparency, and ethical considerations for sustainable impact.
{"title":"Open government data in the Brazilian digital government: Enabling an SDG acceleration agenda","authors":"Larissa Galdino de Magalhães Santos","doi":"10.1016/j.clsr.2024.106029","DOIUrl":"10.1016/j.clsr.2024.106029","url":null,"abstract":"<div><p>Open Government Data (OGD) has evolved from the mere generation of public data to its active management, but the strategic evolution still needs to be explored. This article explores the intersection of government's digital transformation, the Sustainable Development Goals (SDGs), and the role of government open data initiatives. The study focuses on the Brazilian trajectory, employing the \"data as a public good\" approach to evaluate data governance and capabilities as facilitators of sustainable digital transformation. The GDB method aligns with the SDG Digital Acceleration agenda, providing insights into integrating data in society and digital transformation. The study concludes by indicating the need for more dialogue and synergy between data management and government strategies. It emphasizes integrating data management, privacy protection, transparency, and ethical considerations for sustainable impact.</p></div>","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"54 ","pages":"Article 106029"},"PeriodicalIF":3.3,"publicationDate":"2024-08-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141953186","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
扫码关注我们
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号